Web Application Security How to Minimize Prevalent Risk of Attacks

Similar documents
Using QUalysgUard to Meet sox CoMplianCe & it Control objectives

Delivering Security & Compliance On Demand

Last update: February 23, 2004

HOW TO PASS AN IT AUDIT

Web Application Report

The Top Web Application Attacks: Are you vulnerable?

The Top 10 Reports for Managing Vulnerabilities

Web Application Security

Web App Security Audit Services

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Criticial Need for Stronger Network Security. QualysGuard SaaS-based Vulnerability Management for Stronger Security and Verification of Compliance

Attack Vector Detail Report Atlassian

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

locuz.com Professional Services Security Audit Services

Web Security Testing Cookbook*

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

2,000 Websites Later Which Web Programming Languages are Most Secure?

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Application Security Testing. Generic Test Strategy

Web Application Penetration Testing

Web application security: automated scanning versus manual penetration testing.

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

IT Security & Compliance. On Time. On Budget. On Demand.

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Where every interaction matters.

Columbia University Web Security Standards and Practices. Objective and Scope

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

OWASP AND APPLICATION SECURITY

(WAPT) Web Application Penetration Testing

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Rational AppScan & Ounce Products

What is Web Security? Motivation

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Web application security

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Chapter 1 Web Application (In)security 1

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Cross-Site Scripting

Automatic vs. Manual Code Analysis

IronBee Open Source Web Application Firewall

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

IBM Rational AppScan: Application security and risk management

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

SAST, DAST and Vulnerability Assessments, = 4

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

IBM Protocol Analysis Module

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Criteria for web application security check. Version

elearning for Secure Application Development

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Application security testing: Protecting your application and data

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Penetration Testing Service. By Comsec Information Security Consulting

New IBM Security Scanning Software Protects Businesses From Hackers

How Web Application Security Can Prevent Malicious Attacks

Executive Summary On IronWASP

Common Security Vulnerabilities in Online Payment Systems

Pentests more than just using the proper tools

Integrating Security Testing into Quality Control

Sample Report. Security Test Plan. Prepared by Security Innovation

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Bringing Continuous Security to the Global Enterprise

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

NE T GENERATION CLOUD SECURITY PLATFORM

Web Application Security Considerations

HTTPParameter Pollution. ChrysostomosDaniel

Adobe Systems Incorporated

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Application Security Testing

WhiteHat Security Sentinel Service

Penetration Testing: Lessons from the Field

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Testing the OWASP Top 10 Security Issues

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

How to Build a Trusted Application. John Dickson, CISSP

Web Vulnerability Scanner by Using HTTP Method

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

NSFOCUS Web Application Firewall White Paper

Network Security Audit. Vulnerability Assessment (VA)

Pentests more than just using the proper tools

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Transcription:

guide: Web Application Security How to Minimize Prevalent Risk of Attacks Table of Contents I. Summary II. Primer on Web App Security III. Types of Web App Vulnerabilities IV. Detecting Web App Vulnerabilities V. QualysGuard WAS Automates Detection of Vulnerabilities IV. Protect Your Web Applications V. About Qualys 2 2 3 5 6 7 8

page 2 Summary Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Last year, almost 55% of vulnerability disclosures affected web applications. 1 At year end, 74% of web application vulnerabilities had no available patch for remediation, according to that report. Stories about exploits that compromise sensitive data frequently mention culprits such as cross-site scripting, SQL injection, and buffer overflow. Vulnerabilities like these fall often outside the traditional expertise of network security managers. The relative obscurity of web application vulnerabilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions. To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the QualysGuard Web Application Scanning solution a new on demand service from Qualys that automates detection of the most prevalent vulnerabilities in custom web applications. Primer on Web Application Security Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application s syntax and semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting. http://example/foo.cgi?a=1 http://example/foo.cgi?a=1 http://example/foo.cgi?a=<script> < SQL Injection < Cross-site Scripting (XSS) Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI. http://example/foo.cgi?admin=false http://example/foo.cgi?admin=true < Increase privileges A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these require manual inspection of web application source code analysis and security testing. Web application security vulnerabilities usually stem from programming errors with a web application programming language (e.g., Java,.NET, PHP, Python, Perl, and Ruby), a code library, design pattern, or architecture. 1 IBM ISS X-Force 2008 Trend & Risk Report http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

page 3 These vulnerabilities can be complex and may occur under many circumstances. Using a web application firewall might control effects of some exploits but will not resolve the underlying vulnerabilities. Types of Web Application Vulnerabilities Web applications may have any of two dozen types of vulnerabilities. Security consultants who do penetration testing may focus on finding top vulnerabilities, such as those in a list published by the Open Web Application Security Project (www.owasp.org). Other efforts to systematically organize web application vulnerabilities include six categories published by the Web Application Security Consortium (www.webappsec.org). The following descriptions of web vulnerabilities are modeled on the WASC schema. Authentication stealing user account identities n Brute Force attack automates a process of trial and error to guess a person s username, password, credit-card number or cryptographic key. Enterprise-class web application scanning solutions are broader, and should include a wide range of tests for major web application vulnerability classes, such as SQL injection, cross-site scripting, and directory traversals. The OWASP Top 10 is a good starting list of major vulnerabilities, but an enterprise class solution shouldn t limit itself to just one list or category of vulnerabilities. An enterprise solution should also be capable of scanning multiple applications, tracking results over time, providing robust reporting (especially compliance reports), and providing reports customized for local requirements. Building a Web Application Security Program Whitepaper Securosis.com n Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication. n Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user s password. Authorization illegal access to applications n Credential / Session Prediction is a method of hijacking or impersonating a user. n Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions. n Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization. n Session Fixation attacks force a user s session ID to an explicit value.

page 4 Client-side Attacks illegal execution of foreign code n Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source. n Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user s browser. Command Execution hijacks control of web application n Buffer Overflow attacks alter the flow of an application by overwriting parts of memory. n Format String Attack alters the flow of an application by using string formatting library features to access other memory space. n LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input. n OS Commanding executes operating system commands on a web site by manipulating application input. n SQL Injection constructs illegal SQL statements on a web site application from user-supplied input. n SSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally by the web server. n XPath Injection constructs XPath queries from user-supplied input. Information Disclosure shows sensitive data to attackers n Directory Indexing is an automatic directory listing / indexing web server function that shows all files in a requested directory if the normal base file is not present. n Information Leakage occurs when a web site reveals sensitive data such as developer comments or error messages, which may aid an attacker in exploiting the system. n Path Traversal forces access to files, directories and commands that potentially reside outside the web document root directory. n Predictable Resource Location uncovers hidden web site content and functionality.

page 5 Logical Attacks interfere with application usage n Abuse of Functionality uses a web site s own features and functionality to consume, defraud or circumvent access control mechanisms. n Denial of Service (DoS) attacks prevent a web site from serving normal user activity. n Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. The number of vulnerabilities affecting Web applications has grown at a staggering rate. In 2008, vulnerabilities affecting Web server applications accounted for 54 percent of all vulnerability disclosures and were one of the primary factors in the overall growth of vulnerability disclosures during the year. IBM X-Force 2008 Trend & Risk Report n Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application. Detecting Web Application Vulnerabilities There is no silver bullet to detecting web application vulnerabilities. The strategy for their detection is identical to the multi-layer approach used for security on a network. Detection and remediation of some vulnerabilities requires source code analysis, particularly for complex enterprise-scale web applications. Detection of other vulnerabilities may also require on-site penetration testing. As mentioned earlier, the most prevalent web application vulnerabilities can also be detected with an automated scanner. An automated web application vulnerability scanner both supplements and complements manual forms of testing. It provides five key benefits: n Lowers total cost of operations by automating repeatable testing processes n Identifies vulnerabilities of syntax and semantics in custom web applications n Performs authenticated crawling n Profiles the target application n Ensures accuracy by effective reduction of false positives and false negatives A scanner does not have access to a web application s source code, so the only way it can detect vulnerabilities is by performing likely attacks on the target application. Time required for scanning varies, but doing a broad simulated attack on an application takes significantly longer than doing a network vulnerability scan against a single IP. A major requirement for a web application vulnerability scanner is comprehensive coverage of the target application s functionality. Incomplete coverage will cause the scanner to overlook existing vulnerabilities.

page 6 QualysGuard WAS Automatically Detects Major Web Application Vulnerabilities The QualysGuard Web Application Scanning (WAS) solution is an on demand service integrated into the QualysGuard security and compliance Security-as-a- Service (SaaS) suite. Use of the QualysGuard WAS presumes no specialized knowledge of web security. The service allows a network security or IT administrator to execute comprehensive, accurate vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic content. The broad scope of coverage focuses tests on Web application security. Key Benefits. WAS automates repeatable techniques used to identify the most prevalent web vulnerabilities, such as SQL injection and cross-site scripting. It combines pattern recognition and observed behaviors to accurately identify and verify vulnerabilities. The WAS service identifies and profiles login forms, session state, error pages, and other customized features of the target application even if it extends across multiple web sites. This site profile data helps WAS to adapt to changes as the web application matures. Adaptability enables the scanner to be used against unknown or legacy web applications that may carry little information about error pages or other behavior. As a result, WAS delivers highly accurate detection and reduces false positives. The automated nature of Web Application Scanning enables regular testing that produces consistent results and easily scales for large numbers of web sites. Current Features. The table describes comprehensive capabilities in QualysGuard WAS to assess and track web application vulnerabilities. Qualys plans to add other features during Q2/Q3 2009. Crawling & Link Discovery Authentication Black List White List Performance Tuning Sensitive Content Embedded web crawler parses HTML and some JavaScript to extract links. Automatically balances breadth and depth of discovered links to crawl up to 5,000 links per web application. HTTP Basic and NTLM server-based authentication. Simple form authentication. Prevents crawler from visiting certain links in a web application. Instructs the crawler to only visit links explicitly defined in this list. User-determined bandwidth level for parallel scanning to control impact on application performance. Enables user-specified expression search for content in HTML, such as a Social Security Numbers.

page 7 Reports such as the Web Application Scorecard provide big-picture and drill-down visibility on vulnerabilities for each web application Operations. QG WAS is delivered as an on demand service fully integrated with the QualysGuard solutions already in use by thousands of customers for vulnerability management and policy compliance. Users can manage web applications, launch scans, and generate reports with the familiar interface of the QualysGuard web interface. WAS scans may be pre-scheduled or executed on demand. The WAS service can be scaled to the largest web applications hosted anywhere in the world. Account rights management allows an organization to centrally control which web applications may be scanned by individual users. Finally, with QualysGuard WAS, at least one person in your organization must be responsible for managing remediation of vulnerabilities found in your web applications. Protect Your Web Applications The QualysGuard Web Application Scanning service will help your organization immediately begin identifying the most prevalent security vulnerabilities open to criminal exploit. The scanner will be a powerful supplement to existing security efforts such as source code analysis and penetration testing. The latter controls are necessary, but QualysGuard WAS will automate detection testing for the majority of threats the kinds you read about when data thieves breach confidential information via web applications. In addition to comprehensive testing and accurate detection, QualysGuard WAS is cost effective. Just like QualysGuard, WAS is an easy-to-use on demand service allowing administrators to execute scans without any special knowledge of web application security.

page 8 QualysGuard WAS trials are available now. General public release is scheduled for April 2009. If you would like a free trial of the QualysGuard WAS, please contact Qualys to get started. About Qualys Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions delivered as a service. Qualys Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures. The QualysGuard service is used today by more than 3,500 organizations in 85 countries, including 40 of the Fortune Global 100 and performs more than 200 million IP audits per year. Qualys has the largest vulnerability management deployment in the world at a Fortune Global 50 company. Qualys has established strategic agreements with leading managed service providers and consulting organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks, Symantec, Tata Communications, TELUS and VeriSign. For more information, please visit www.qualys.com. www.qualys.com USA Qualys, Inc. 1600 Bridge Parkway, Redwood Shores, CA 94065 T: 1 (650) 801 6100 sales@qualys.com UK Qualys, Ltd. 224 Berwick Avenue, Slough, Berkshire, SL1 4QT T: +44 (0) 1753 872101 Germany Qualys GmbH München Airport, Terminalstrasse Mitte 18, 85356 München T: +49 (0) 89 97007 146 France Qualys Technologies Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie T: +33 (0) 1 41 97 35 70 Japan Qualys Japan K.K. Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo T: +81 3 6860 8296 United Arab Emirates Qualys FZE P.O Box 10559, Ras Al Khaimah, United Arab Emirates T: +971 7 204 1225 China Qualys Hong Kong Ltd. Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing T: +86 10 84417495 Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 03/09

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information